Re: [w3ctag/design-reviews] Trusted Types (#198) from Daniel on 2020-01-30 (public-webapps-github@w3.org from January 2020)

From: Daniel <notifications@github.com>
Date: Thu, 30 Jan 2020 09:29:39 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/198/580365477@github.com>

Thanks for taking another look at TT! :)

Regarding intent-to-ship & 3 issues: It's certainly our intent to have addressed the concerns.

- Extensibility: I think this is done. The original concern was correct, in that extending the design (e.g. to cover CSS) was risky. With [the require-trusted-types-for directive](https://github.com/w3c/webappsec-trusted-types/issues/241) it's straightforward for the page author to indicate what scope they intended for the current version of their page.

- DOM node manipulation & friends + "default policy": This is the same issue. Or actually, it's an extended version of the original issue. When we presented & discussed our first attempt at fixing this, we discovered that the issue runs a bit deeper than we had initially understood. We think we [have now fixed this](https://github.com/w3c/webappsec-trusted-types/issues/248) (in the spec; the implementation is still being finished), by checking the <script> text against a shadow slot, and by more precisely spec-ing and implementing when the "default policy" runs. ([The last comment](https://github.com/w3c/webappsec-trusted-types/issues/248#issuecomment-576373688) explicitly lists the 4 items that address the original DOM node manipulation issue.)

- Dev support: We've run an [origin trial](https://www.chromium.org/blink/origin-trials) and are experimenting with TT within Google. We have also received feedback from external parties, although they don't seem too keen on making public statements in this phase. So this is arguably still open. However it seems that we have largely exhausted the feedback potential for experimental features: Developers will put only modest amount of work into an unreleased feature. We will get more & more qualified feedback only after making this more widely available.

Explainer: The broad strokes of the explainer are correct, but it doesn't reflect recent changes to the spec. We need to update it & add more detail.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/198#issuecomment-580365477

Received on Thursday, 30 January 2020 17:29:41 UTC